Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: 'silent VLAN's' & Security

'silent VLAN's' & Security

Aaron D. Turner (aturnervicinity.com)
Wed, 16 Jun 1999 12:40:54 -0700 (PDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Leonard Miyata: "Re: PASSV (passive mode) FTP through routers/firewalls"
Previous message: Laurent LEVIER: "Re: java based ssh client"

My company is evaluating some co-lo providers. One provider (who will
remain nameless) rather than giving each customer his own IP
subnet/VLAN off their Cisco Catalyst and using an RSM, puts them in a
*shared* VLAN on the same Class C. Each customer system connects
directly to the shared Cat. So if I have 10 servers, I use 10 ports
on the co-lo's Cat.

It doesn't take a rocket scientist to see that any site can be DOS'ed
to death if someone changes their IP on their system to be someone
elses system. Implimenting a firewall between myself and other
customers is plain impossible. I mentioned this to the company and
they told me they were going to be implimenting Cisco's new (and yet
released) 'silent VLAN' technology to prevent one customer from
being able to see another customer. Everyone would still share the
same Class C however.

Now I know traditional VLAN's on Cisco Catalyst hardware can be forced
to pass traffic between VLAN's, especially during high load (which
being a co-lo company one would expect). I would expect that this
flaw would also be in this silent VLAN technology. Also, what about
someone changing their MAC address to be mine? And will 'silent
VLAN's' really do what they say or is this some ploy to give me warm
fuzzies because they don't want to have to re-architect their entire
network?

Does anyone have any info on silent VLAN's? Nothing on CCO, and
apparently it's still in alpha which has made getting any info
difficult at best.

Thanks.

-- 
Aaron Turner, CNE   aturnervicinity.com  650.237.0311 x252
Network Engineer    Vicinity Corp.        http://www.vicinity.com
Email-to-page: 6505721411.1146752pagenet.net [Subject & Body sent]

Next message: Leonard Miyata: "Re: PASSV (passive mode) FTP through routers/firewalls"
Previous message: Laurent LEVIER: "Re: java based ssh client"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:00 CDT